How to do DNS Spoofing with Ettercap easily?

Ettercap is one of the best available platform available for executing the main in the middle attacks (MITM). In this article, we will be showing you the DNS spoofing tutorial that you can do using Ettercap.

It has the features of snipping live connections, and content filtering as well as many other good and interesting attacks. It also supports the passive and active dissection of the protocls and works network analysis as well as host analysis.

Download the install the package of Ettercap from here.

You can also install from the mirror as follows:

# apt-get install ettercap-gtk ettercap-common

This article will explain how you can perfom DNS spoofing as well as ARP poisoning using the Ettercap tool in the LAN.

Note and Warning : You should not be executing this any network or the system that you do not own. You can only execute in in your own network or in order to learn. Also, it is very necessary to not execute it on a production system. You can setup a network (small one) for your testing purpose so that you can play with the utility for the purpose of learning.

The Basics of Ettercap

FIrst, you need to learn the basics about the Ettercap. So Ettercap has these following 4 types of the user interfaces.}

Text Only – ‘-T’ option
Curses – ‘-C’ option
GTK – ‘-G’ option
Daemon – ‘-D’ option

Well, in this article we will be focusing on the Graphical User interface since it is a lot more easier for the purpose of learning

Launching an ARP Poisoning Attack

So starting, we have learned about the ARP and the purpose of ARP already and the explanation that why ARP cache poisoning can be used. So if you haven’t, you need to take a look in to. Anyway, in this article, I will be showing you that how you can perform it.

The following diagram will explain the architecture of a a network. All the attacks that will be explained and will be performed keeping in mind the network diagram. The Ettercap usage in a production in enviorment is not permitted.

ettercap-arch

You have to launch the Ettercap using the this command in the 122 machine.

# ettercap -G

Next Click “Sniff” and go to Unified Sniffing”. It will then list the networks that are available. Choose the network that you want to use for the ARP poisoning.

eth1

Once the interface has been selected. This window will open :

ettercap

Our next step will be to add the list of targets that we are going to use for performing the ARP poisoning. For instace, here we will be adding 192.168.1.51 and 192.168.1.10 in the targets section.

Then click “Hosts—> Scan for Host” in it.

Then it will start to scan the hosts that are present in your network.
So, once it has been completed. The next thing that you are going to do is to click “Hosts->Host List”. So, it will list the hosts are available on the LAN as shown below:
So, among the list, you have to select “192.168.1.51” and then you have to click ” Add to Target 1″ and then you gotta select”192.168.1.10″ and click “Add to Target 2”.

Now select “Mitm->Arp Poisoning” as follows:

MITM

After doing the above, this dialog box is going to open. You need to select “Sniff Remote Connection” and then click “ok”

ettercap6

Then click on “Start-> Start Sniffing as follows:

start sniffing

Now the Arp has been poisoned, i.e 122 machine will start to send the packets of ARP saying “I’m 1.10”. In order for us to verify it, From 192.168.1.51, “ping the 192.168.1.10”. For that to happen, open the “Wireshark” application in the 192.168.1.122 machine and then have a filter up for the ICMP. You will these ICMP packets from the “192.168.1.51 to 192.168.1.122 like the following shown in the picture.

ettercap-wireshark

Starting The DNS Spoofing Attack in LAN

The concept of whole DNS spoofing is as follow :

Machine A has said “ping google.com

Now it is going to find the IP address of Google.com

So what it is going to do is to query the DNS server for the IP address of the domain “google.com”

The DNS server is having its own conecpt and hiearchy and then, it will get the IP address of the domain google.com. It will then get back the IP address to the Machine A.

Here we will see how we can spoof the DNS.

There are a lot of plugins that come pre installed in EtterCap. On of such plugin is called s DNSSpoof. We will be using that plugin in order to check the DNS spoofing.

So you need to open the /usr/share/ettercap/etter.dns in the machine 122, and then add the following lines.

*.google.co.in A 192.168.1.12
*.google.com A 192.168.1.12
google.com A 192.168.1.12

www.google.com PTR 192.168.1.12
www.google.co.in PTR 192.168.1.12

Here, the 192.168.1.10 will be our DNS server. So, for us to do DNS spoofing, the first thing that we are going to do is to do ARP posioning it has been explained in the tutorial. Once, you are done with doing the ARP, you need to be following the steps below

Select the Plugins–> Manage Plugins as it is in the below screenshot

ettercap8

Then, you need to select the “dns_spoof” plugin and after that, you need to activate it.

ettercap9
Now, you need to ping from 192.168.1.51 and it is to ping google.com

$ ping google.com

PING google.com (192.168.1.12) 56(84) bytes of data.
64 bytes from www.google.co.in (192.168.1.12): icmp_seq=1 ttl=64 time=3.56 ms
64 bytes from www.google.co.in (192.168.1.12): icmp_seq=2 ttl=64 time=0.843 ms
64 bytes from www.google.co.in (192.168.1.12): icmp_seq=3 ttl=64 time=0.646 ms

You will see that it gives us the IP address of the machine which we have selected while doing our configuration.
So, finally hope that this article will provide you value and insight to the ARP poisoning and DNS Spoofing Tutorial as well. Once, you have done this, then you have to stop the MTIM attack.

ettercap11

Finally, it won’t hurt you to repeat the warning again and again. Do not execute this on a network or a system that you don’t completely own. You can setup a small network/system just for the purpose of testing and playing around with this utility so you can learn.

Leave a Reply